Solved

Ensuring all VLANs/subnets are covered in VA & industry practices

Posted on 2016-10-06
5
93 Views
Last Modified: 2016-11-07
Q1
As governance/compliance person, I'm often not being updated by network teams when
new VLANs / subnets are being created.  Network diagram may not be updated timely too.
What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

Q2
For Cisco switches/routers, is there a way to automatically configure something to obtain
output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or
TACACS+ do this?

Q3
For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only
servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?
0
Comment
Question by:sunhux
  • 3
  • 2
5 Comments
 

Author Comment

by:sunhux
ID: 41831520
We have both Cisco & Nexus switches/routers, so do provide the commands
0
 

Author Comment

by:sunhux
ID: 41831526
This whole thing arises from auditor: how do we ensure and show evidence
that all network segments are scanned (& he meant the relevant segments)
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 500 total points
ID: 41831794
As governance/compliance person, I'm often not being updated by network teams when new VLANs / subnets are being created.  Network diagram may not be updated timely too. What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

I think it would be better to look at the routing table to see if new routes were installed. Take a snapshot and then run a compare from time to time. The core switch would be the best place to look it up. I wouldn't look at the VLANs because not all of them might exist on that switch.
Edit: Forgot to mention this. It also depends on your internal routing protocol. For EIGRP, this would work no problem. For OSPF, I would get a routing table from each ASBR as the routes are usually summarized when they cross area boundaries.

For Cisco switches/routers, is there a way to automatically configure something to obtain output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or TACACS+ do this?

Look up Cisco Embedded Event Manager (EEM). There are applets for what you want. Might require a bit of scripting.

For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?

Not sure what you are asking here. Can you please elaborate? What is VA, UAT?
0
 

Author Comment

by:sunhux
ID: 41832853
VA = Vulnerability Assessment
Some VA tools are like Nessus, McAfee Vulnerability Manager

UAT = a User Acceptance Test (ie a test server)
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 500 total points
ID: 41833522
I do network security designs and implementations so systems and policies are not really my forte. From my experience though, vulnerability scanning depends on the corporate policy and the compliance standard a company falls under. Like for PCI, you should scan all devices that fall in the scope. Scanning the rest depends on the policy but usually you scan all internet facing and important servers (AD, DBs, etc) and devices.

Management VLAN should be locked down to access only from certain PCs and ideally those PC's should be scanned.

User PC's usually fall under one departmental or company management policy from AD GPOs and WSUS. You can take a sample of PCs and scan them. The results should be similar.

For DR, it depends what kind of DR. Does it have live data for hot failover? If yes then it falls under the same scanning policy as production. If it's warm DR than you need to scan storage devices with the backup data.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question